Configuring IBM Dependency Based Build (DBB) server to use RACF based authentication via z/OS LDAP SDBM

How To

Summary

This document explains how to configure the IBM Dependency Based Build (DBB) server to manage user access through the z/OS Lightweight Directory Access Protocol (LDAP) SDBM capability.

Objective

The purpose of this document is to describe the key configuration steps, and not to duplicate content that is already available in IBM Docs.

Particularly useful reference material can be found at:

Environment

The DBB server runs on Linux and points to the LDAP SDBM server that runs on z/OS so that DBB users can use their z/OS user ID and password to authenticate.

This mechanism is illustrated in the following diagram.

Image with 2 parts: A DBB server installed on Linux, to allow users to authenticate with their RACF user ID and password. A z/OS serve.

This document is based on DBB 1.1.0 but is applicable to other DBB releases.

Steps

Before you start configuring the DBB server, you need to start the LDAP server on z/OS.

Collecting key z/OS information and starting the LDAP server
For the purpose of this document, a simplified LDAP SDBM set up was used on a z/OS system with the host name of tvt6012.svl.ibm.com.

First, you must run the GLDSRV started task.

You must note some parameters that you will use to connect to the LDAP server.

In USER.GLD.CNFOUT(RACF), note the suffix parameter:
For reference, this is the content of the USER.GLD.CNFOUT(DSENVVAR) file in our sample configuration:

To test that your DLAP instance is working correctly, you can open an LDAP browser. Specify the z/OS information in the General tab as follows:
- Enter the z/OS hostname in the Host field and specify its port and version.
- Paste or enter the suffix in the Base and the Username fields.
- Enter your credentials in the Account group:
  - Add your RACF user ID, preceded by racfid=, and your RACF profile, preceded by PROFILETYPE=, to the beginning of the Username field.
  - Enter your RACF password in the Password field.
Click OK to log into the LDAP server.

The Directory Information Trees (DIT) in the LDAP Browser view shows the following information on the test system:
Updating the DBB server configuration
You update the DBB server in 3 files: server.xml, ldapUserRegistry.xml / userRegistryConfig.xml, and dbb.properties.

You can find useful information in the DBB documentation:
- A discussion of DBB user roles and group management in Setting users' permissions on accessing dependency data and build results.
- A discussion of DBB user roles and group management in Installing and configuring the DBB server on Linux.
For purposes of this document, let’s assume that the DBB server .tar file was expanded under /dbb1.1. Adjust the instructions to match your directories.
1. Make any desired backups to your existing configuration before starting these changes.
  Note: The files should be backed up into another location rather than in the configuration directory itself.
2. Copy /dbb1.1/wlp/usr/servers/dbb/config_sample/ldapUserRegistry.xml to /dbb1.1/wlp/usr/servers/dbb/configDropins/overrides/userRegistryConfig.xml.
3. Make the following changes to the server.xml file, which is located in the /dbb1.1/wlp/usr/servers/dbb directory:
  1. Modify the administrator-role stanza in the following way:
    - Change the <user> from ADMIN to a valid z/OS RACF user if desired or remove this stanza.
    - Adjust the <group> to a valid RACF group.
    The result is something like:
    <administrator-role> <group>JAZADMNS</group> </administrator-role>
  2. Change the group names in the osgiApplication stanza to valid RACF group names, such as:
```
	<osgiApplication id="dbb" location="dbb.eba" name="dbb">
		<application-bnd>
			<security-role name="DBBAdmins">
				<group name="JAZADMNS" />
			</security-role>
			<security-role name="DBBUsers">
				<group name="JAZUSERS" />
			</security-role>
			<security-role name="DBBGuests">
				<group name="JAZZ00"/>
			</security-role>
		</application-bnd>
	</osgiApplication>
```
4. Modify the userRegistryConfig.xml file, which is located in the configDropins/overrides directory after the copy in Step 2.
  1. The file contains 3 ldapRegistry stanzas to show various types of configurations. The first ldapRegistry stanza is uncommented while the second and third are commented out. We are interested to update the third one with the comment “Example of LDAP (RACF)”. You need the first stanza commented and the third stanza uncommented. You could also delete the first two and just leave the LDAP (RACF) stanza uncommented.
  2. Change the settings in the ldapRegistry to match your environment. The idsFilters should remain unchanged. The password can be obfuscated using the Liberty securityUtility. The updates should look like:
```
              host="tvt6012.svl.ibm.com" port="389" ignoreCase="true" 
              baseDN="cn=RACF6012,o=IBM,c=SVL" 
              ldapType="IBM Tivoli Directory Server"
              bindDN="racfid=bgreen,profiletype=USER,cn=RACF6012,o=IBM,c=SVL"
              bindPassword="{xor}Mm9sbmgyPi0=">   
```
5. Restart the DBB server after making the configuration changes and attempt to log in as a valid RACF user associated with your DBBAdmins associated group to start.
  The log files located at /dbb1.1/wlp/usr/servers/dbb/logs can be useful for debugging purposes, particularly the dbb.log

Document Location

Worldwide

[{"Type":"SW","Line of Business":{"code":"LOB35","label":"Mainframe SW"},"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SS6T76","label":"IBM Dependency Based Build"},"ARM Category":[{"code":"a8m0z00000009OZAAY","label":"IDz Family-\u003EDBB (Dependency Based Build)"}],"ARM Case Number":"","Platform":[{"code":"PF035","label":"z\/OS"}],"Version":"All Version(s)"}]

Product Synonym

DBB

Was this topic helpful?

Document Information

Modified date:
11 July 2022

UID

ibm16455257

Tips